svn commit: r299514 - head/sys/fs/nfsserver
Rick Macklem
rmacklem at uoguelph.ca
Thu May 12 11:20:19 UTC 2016
Oh, and I'll MFC it in 2 weeks unless there is an objection, rick
----- Original Message -----
> Author: cem
> Date: Thu May 12 05:03:12 2016
> New Revision: 299514
> URL: https://svnweb.freebsd.org/changeset/base/299514
>
> Log:
> nfsd: Fix use-after-free in NFS4 lock test service
>
> Trivial use-after-free where stp was freed too soon in the non-error path.
> To fix, simply move its release to the end of the routine.
>
> Reported by: Coverity
> CID: 1006105
> Sponsored by: EMC / Isilon Storage Division
>
> Modified:
> head/sys/fs/nfsserver/nfs_nfsdserv.c
>
> Modified: head/sys/fs/nfsserver/nfs_nfsdserv.c
> ==============================================================================
> --- head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 04:54:32 2016 (r299513)
> +++ head/sys/fs/nfsserver/nfs_nfsdserv.c Thu May 12 05:03:12 2016 (r299514)
> @@ -2437,8 +2437,6 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
> if (!nd->nd_repstat)
> nd->nd_repstat = nfsrv_lockctrl(vp, &stp, &lop, &cf, clientid,
> &stateid, exp, nd, p);
> - if (stp)
> - FREE((caddr_t)stp, M_NFSDSTATE);
> if (nd->nd_repstat) {
> if (nd->nd_repstat == NFSERR_DENIED) {
> NFSM_BUILD(tl, u_int32_t *, 7 * NFSX_UNSIGNED);
> @@ -2460,6 +2458,8 @@ nfsrvd_lockt(struct nfsrv_descript *nd,
> }
> }
> vput(vp);
> + if (stp)
> + FREE((caddr_t)stp, M_NFSDSTATE);
> NFSEXITCODE2(0, nd);
> return (0);
> nfsmout:
>
>
More information about the svn-src-head
mailing list